Class AclEntryVoter
- All Implemented Interfaces:
AccessDecisionVoter<org.aopalliance.intercept.MethodInvocation>
Given a domain object instance passed as a method argument, ensures the principal has
appropriate permission as indicated by the AclService
.
The AclService is used to retrieve the access control list (ACL) permissions associated with a domain object instance for the current Authentication object.
The voter will vote if any ConfigAttribute.getAttribute()
matches the
processConfigAttribute
. The provider will then locate the first method
argument of type AbstractAclVoter.processDomainObjectClass
. Assuming that method argument is
non-null, the provider will then lookup the ACLs from the AclManager
and
ensure the principal is Acl.isGranted(List, List, boolean)
when presenting the
requirePermission
array to that method.
If the method argument is null, the voter will abstain from voting. If the
method argument could not be found, an AuthorizationServiceException
will be
thrown.
In practical terms users will typically setup a number of AclEntryVoters. Each
will have a different processDomainObjectClass
,
processConfigAttribute
and requirePermission
combination. For
example, a small application might employ the following instances of
AclEntryVoter:
- Process domain object class
BankAccount
, configuration attributeVOTE_ACL_BANK_ACCONT_READ
, require permissionBasePermission.READ
- Process domain object class
BankAccount
, configuration attributeVOTE_ACL_BANK_ACCOUNT_WRITE
, require permission listBasePermission.WRITE
andBasePermission.CREATE
(allowing the principal to have either of these two permissions) - Process domain object class
Customer
, configuration attributeVOTE_ACL_CUSTOMER_READ
, require permissionBasePermission.READ
- Process domain object class
Customer
, configuration attributeVOTE_ACL_CUSTOMER_WRITE
, require permission listBasePermission.WRITE
andBasePermission.CREATE
AbstractAclVoter.processDomainObjectClass
if both BankAccount
and
Customer
had common parents.
If the principal does not have sufficient permissions, the voter will vote to deny access.
All comparisons and prefixes are case sensitive.
-
Field Summary
Fields inherited from interface org.springframework.security.access.AccessDecisionVoter
ACCESS_ABSTAIN, ACCESS_DENIED, ACCESS_GRANTED
-
Constructor Summary
ConstructorDescriptionAclEntryVoter
(AclService aclService, String processConfigAttribute, Permission[] requirePermission) -
Method Summary
Modifier and TypeMethodDescriptionprotected String
Optionally specifies a method of the domain object that will be used to obtain a contained domain object.protected String
void
setInternalMethod
(String internalMethod) void
setObjectIdentityRetrievalStrategy
(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) void
setSidRetrievalStrategy
(SidRetrievalStrategy sidRetrievalStrategy) boolean
supports
(ConfigAttribute attribute) Indicates whether thisAccessDecisionVoter
is able to vote on the passedConfigAttribute
.int
vote
(Authentication authentication, org.aopalliance.intercept.MethodInvocation object, Collection<ConfigAttribute> attributes) Indicates whether or not access is granted.Methods inherited from class org.springframework.security.access.vote.AbstractAclVoter
getDomainObjectInstance, getProcessDomainObjectClass, setProcessDomainObjectClass, supports
-
Constructor Details
-
AclEntryVoter
public AclEntryVoter(AclService aclService, String processConfigAttribute, Permission[] requirePermission)
-
-
Method Details
-
getInternalMethod
Optionally specifies a method of the domain object that will be used to obtain a contained domain object. That contained domain object will be used for the ACL evaluation. This is useful if a domain object contains a parent that an ACL evaluation should be targeted for, instead of the child domain object (which perhaps is being created and as such does not yet have any ACL permissions)- Returns:
null
to use the domain object, or the name of a method (that requires no arguments) that should be invoked to obtain anObject
which will be the domain object used for ACL evaluation
-
setInternalMethod
-
getProcessConfigAttribute
-
setObjectIdentityRetrievalStrategy
public void setObjectIdentityRetrievalStrategy(ObjectIdentityRetrievalStrategy objectIdentityRetrievalStrategy) -
setSidRetrievalStrategy
-
supports
Description copied from interface:AccessDecisionVoter
Indicates whether thisAccessDecisionVoter
is able to vote on the passedConfigAttribute
.This allows the
AbstractSecurityInterceptor
to check every configuration attribute can be consumed by the configuredAccessDecisionManager
and/orRunAsManager
and/orAfterInvocationManager
.- Parameters:
attribute
- a configuration attribute that has been configured against theAbstractSecurityInterceptor
- Returns:
- true if this
AccessDecisionVoter
can support the passed configuration attribute
-
vote
public int vote(Authentication authentication, org.aopalliance.intercept.MethodInvocation object, Collection<ConfigAttribute> attributes) Description copied from interface:AccessDecisionVoter
Indicates whether or not access is granted.The decision must be affirmative (
ACCESS_GRANTED
), negative (ACCESS_DENIED
) or theAccessDecisionVoter
can abstain (ACCESS_ABSTAIN
) from voting. Under no circumstances should implementing classes return any other value. If a weighting of results is desired, this should be handled in a customAccessDecisionManager
instead.Unless an
AccessDecisionVoter
is specifically intended to vote on an access control decision due to a passed method invocation or configuration attribute parameter, it must returnACCESS_ABSTAIN
. This prevents the coordinatingAccessDecisionManager
from counting votes from thoseAccessDecisionVoter
s without a legitimate interest in the access control decision.Whilst the secured object (such as a
MethodInvocation
) is passed as a parameter to maximise flexibility in making access control decisions, implementing classes should not modify it or cause the represented invocation to take place (for example, by callingMethodInvocation.proceed()
).- Parameters:
authentication
- the caller making the invocationobject
- the secured object being invokedattributes
- the configuration attributes associated with the secured object- Returns:
- either
AccessDecisionVoter.ACCESS_GRANTED
,AccessDecisionVoter.ACCESS_ABSTAIN
orAccessDecisionVoter.ACCESS_DENIED
-